Enterprises large and small are aware of the threat of cyberattacks and security breaches. Many spend large portions of their annual budgets on mitigation tools like hardware and device firewalls, antivirus software, and tools for constantly monitoring. However, companies may be missing one major avenue of breaches and cybercrimes—people.
Unsuspecting employees are often the targets of malicious actors using social engineering techniques. According to an Accenture study, the average annual cost to a company as the result of phishing and/or social engineering was $1.4 million per year in 2018.
In a recent survey conducted by Electric, 71% of IT professionals indicated an employee at their organization had succumbed to a social engineering attack since the pandemic began.
All companies, and in particular SMBs, need to take the threat of social engineering attacks seriously. As we continue to live in a world with more remote-first and dispersed workforces, it’s likely that nefarious actors will continue to find new ways to exploit the situation.
What is a Social Engineering Attack?
Social engineering attacks are breaches or incidents that initially target people rather than devices or software. The attacks attempt to exploit human behavior and weaknesses rather than try to “break in” to a company’s cybersecurity defenses using technical skills. They can take place in person and over the phone, but more recent successful social engineering attacks have been facilitated via email or social media.
Some of the most infamous hacks in recent years — Sony Pictures, Target, and the Democratic Party in 2016 — were the result of social engineering attacks.
The 4 Most Common Types of Social Engineering Attacks
Below we discuss some of the most common types of social engineering attacks, and how to prevent them.
Phishing is likely the most widely used type of social engineering attack. Scammers use emails (and increasingly text messages) to trick victims into divulging sensitive information. These emails and messages appear to come from a trusted source like an IT employee or a known vendor or contractor.
The messages often appeal to a sense of urgency by informing the reader that “something is wrong with an account” or an “invoice needs to be paid immediately.” Readers may be encouraged to click on a link where they will inadvertently enter credentials or financial information. Phishing emails may also direct the reader to download a file which usually contains malware.
There is a variant of phishing known as “whaling” or “spear phishing.” If you were to think of phishing as casting a wide net, whaling is more targeted. Instead of sending hundreds of employees a generic email, whaling and spear phishing attacks target a small number of employees, usually ones with a high level of authority.
One of the most infamous spear phishing attacks in recent years was of John Podesta, chair of Hillary Clinton’s 2016 presidential campaign. Podesta received a fraudulent email appearing to be from the Gmail security team. He followed a URL to a fake log-in page where he entered his credentials. The group behind this social engineering attack was a Russian hacking group that gave the contents of the email account to Wikileaks.
Baiting is a social engineering attack that takes advantage of our natural curiosity and desire for information. The “bait” is often insider information that the victim would not normally have access to. One way that this social engineering attack is performed is by a hacker leaving a USB drive in a conspicuous place inside or near an office. It usually has an enticing label (e.g., board meeting minutes, employee salaries) that will tempt the finder into taking the device and plugging it into their machine. However, the USB likely contains malware that will give the hacker more access to a company’s network.
With fewer people in offices due to the rise of remote work, other forms of baiting are becoming more common. Similar to a phishing attack, a victim may be lured into downloading a digital file that also contains malware.
Tailgating is an old-fashioned hacking technique, but malicious actors still find it effective. Someone posing as an employee of a company will follow an actual employee inside of a building or restricted area by pretending to have forgotten their key card. The malicious person may also pose as a delivery person attempting to drop off a package. Once inside, the attacker may try to install malicious software on unsupervised terminals or plant USB keys around for a future baiting social engineering attack.
You can think of pretexting as a more sophisticated step up from phishing. Hackers engaging in pretexting build a seemingly trusting relationship with their victim by impersonating someone known to them. This might be through a series of emails, text messages, and possibly phone calls. Once the relationship is established, the hacker may ask the victim to disclose sensitive information, usually in the guise of needing it to be able to do their job. The victim assumes that the request is legitimate and there is nothing out of the ordinary about it.
According to the Wall Street Journal, a hacker recently used a mix of pretexting and an AI-generated voice of the CEO of a German company to convince the CEO of its UK subsidiary to transfer $243,000 to a Hungarian supplier. The victim thought he received a call from the actual CEO of the parent company in Germany. In actuality, the AI-generated call replicated the voice and German accent of the impersonated CEO well enough to get the UK subsidiary CEO to perceive it as his boss’s voice.
How Can I Prevent Social Engineering Attacks?
No amount of antivirus software or network firewalls is going to prevent an employee from giving information to someone that they think that they know and trust. The first step in defending against social engineering attacks is educating your workforce on its existence and the problems it can cause. This should include ongoing training about commonly used and new cyberthreats so employees know what to look for.
Although education is key, here a few simple steps you can take today to avoid falling victim to social engineering attacks:
Hover over all hyperlinks before clicking on them to confirm the URL directs to a legitimate site
Tell anyone who asks for sensitive information that you will call them back at their phone number or email address listed in the company directory.
Be wary of messages asking for sensitive information; forward them to your IT or security department.
In addition, use real-world examples to further explain the threat of social engineering. Many people know about the large hacks and data breaches that companies have dealt with. However, few know the actual facts of the cases, and that many were the result of someone simply being fooled by a phishing email.
We understand how grievous a social engineering attack can be to your organization and are always focused on providing you with the best-practice recommendations for security management that will keep your organization’s data well-protected. Figuring out all your bases to cover is not an easy process to navigate, especially in times like these— and that’s why Electric is here to support your organization.